Three new stories this week:

1_ Two Nigerians Visit Kuala Lumpur

Back in 2014, two Nigerian chaps (sorry folks, you’re not helping the stigma) were living with expired Visas in Kuala Lumpur.

Instead of using their new found freedom to enjoy the sights of say, the Petronas Twin Towers, they launched phishing campaigns. These campaigns were targeted at employees at 140 educational institutes across the United States. Once usernames and passwords were obtained via their phishing emails, Olayinka and Damilola acquainted themselves with the financial systems of said institutes.

Their end game was to change the banking details of employees in order to reroute salary payments to accounts they (or their more unscrupulous friends) controlled. These phishing attacks were successful at 20 schools; however, when Georgia Tech personnel didn’t get their Thanksgiving paychecks, they caught wind of what was going on and called the Feds.

After some proper investigation and cooperation with the Malaysian authorities, Olayinka and Damilola was given silver arm bracelets and extradited to the US to face trial. Olayinka got six years behind bars, with Damilola receiving three.

In addition to their prison sentences, the judge also ordered them to pay restitution of $56,175.44 each (about ₦20,358,214). Back in Lagos, this can buy them around 76,000 heads of lettuce, each.

2_ Phishing for iPhones

Joseph Cox and Jason Koebler over at Motherboard wrote a detailed piece titled: “How Hackers and Scammers Break into iCloud-Locked iPhones“. In this piece they delved into the world of thugs stealing iPhones and what goes into getting them unlocked.

If you are planning to not read their article, at least know this:

If your iPhone / iPad is stolen, the thug typically can’t do anything with it unless they have your unlock code or iCloud password. (Read the full piece to see why I say ‘typically’). This means they can’t factory reset it to sell it on.

However, there is a fairly good chance that the thieve might target you with phishing or other social engineering attacks. Reason: To get you to give up your device lock code or your iCloud account details.

And if you’re thinking: ‘Ah, first world problems, won’t affect us down South’ Think again… same attacks have been running here for the last few years already.

3_ A Bad Week At Eskom

Eskom, our local (South African) electricity provider is having an interesting week.

First, a guy on Twitter claimed to have found an online database of Eskom that’s exposing customer details. Following attempts to responsibly disclose this, he voiced his concerns in a tweet. However, Eskom has come back stating that the database he identified is not theirs, but they are investigating if the data is…

Second, another guy on Twitter claimed to have identified an Eskom computer which was infected by a RAT. It does not seem like this is a critical system (i.e. SCADA stuff) but rather a computer of a Tannie that shops for Bernina sewing supplies at Makro (based on her desktop icons). But, nether the less, still not where you want to be.

Finally, our President just announced that Eskom is being split into three separate entities (generation, transmission and distribution). This is in an attempt to prevent the corruption ridding entity from dragging the entire country’s economy down the pooper. Not that it has anything to do with points one and two, but now you know.

1_ How To Stuff A Chicken

If you are on the market for some roast chicken tips, here are a few great ones from Jamie: https://www.youtube.com/watch?v=bJeUb8ToRIw

Back to today’s actual program: Credential Stuffing Attacks.

The online video streaming site Dailymotion (which is a treasure trove for bootlegging MasterChef Australia episodes) was recently the target of a Credential Stuffing Attack. According to their website, Dailymotion attracts “300 million users from around the world, who watch 3.5 billion videos on its player each month.“

The attack consists in “guessing” the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.

Credential Stuffing attacks aren’t anything new. In October 2018, the American Cloud Services Provider, Akamai, published a report on Credential Stuffing attacks. They recorded around 8.35 billion credential stuffing attempts world wide between May and June 2018, with the US and Russia being the main attack sources.

The report further notes:

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods. They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords. Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle.”

There you go, don’t reuse passwords!

2_ Old Ladies and Payment Systems

(I’m not going to write too much about this one)

Mikko Hypponen from the Finnish Cyber Security company, F-Secure, did a keynote at BSides London in June 2018. During his talk ‘State of the Net’, he addressed the common issue of securing computer systems used for financial payments. However, he was not talking about securing servers and things making up advanced payment systems. He was rather talking referring to the laptops and desktops used by employees who make the actual payments that keep your business running.

And… he makes a very valid point: Don’t use the same computer that you use for things like Facebook, Twitter, Email and Instagram for your business’ online banking system. Rather use a designated and segregated computer to load and process your payments. This simple step will go a long way in ensuring that the computers used for payments remain secure.

Have a look at the talk here:

3_ Cyber Attacks In Real Life

UK company Hiscox has made a clever video illustrating how a cyber attack would look if it happened in real life.

They show three attack scenarios:• IP Theft: Robbing companies of their ideas and inventions.• Phishing: Fraudulently pretending to be someone else.• Denial of Service: Flooding the target with traffic triggering a crash.

I think this is quite effective in order to create awareness for espcially small businesses, without the usual FUD (Fear, Uncertainty and Doubt) used by lots of security vendors.

Three stories this week (again):

1_ DDoS-ing a Country

(Guy who used the Mirai botnet against Liberia gets jail time in the UK)

In 2016, researchers detected one of the largest publicly recorded Distributed Denial of Service attacks (DDoS). The attack made use of hijacked webcams part of the Mirai botnet and generated traffic up to 500 Gbps. This traffic was directed at the internet infrastructure of the West African nation of Liberia. See 2016 article from Threatpost detailing the attack.

Fast forward 3 years later and one Daniel Kaye has been sentenced to 32 months in the slammer for this DDoS attack. Turns out an employee of the Liberian telecoms company Cellcom (now rebranded as Orange Liberia) hired Mr Kaye to launch the attack on their competitor, Lonestar Cell MTN. Not only did it successfully disrupt Lonestar’s network, it also took down the entire country’s internet!

After the Liberian attacks, Mr Kaye attempted to take control of some of Deutchse Telekom’s routers for more attacks, but this ended up taking about 900,000 routers offline. A week later he again fumbled and inadvertently took down 100,000 UK based routers from three separate ISPs. In the end this was what got the fuzz to hunt him down.

2_ Finding Lazarus at the Watering Hole

Attackers, allegedly linked to North Korea’s Lazarus group, have been fingered for an attack on a Chilean networking company. This company, Redbanc, is basically responsible for all of Chile’s ATM networks.

What makes this attack notable is the method in which Redbanc was compromised – a watering hole attack. Attackers put an advertisement up on LinkedIn, to which a Redbanc employee responded. This then led to a phony Skype interview with a Spanish speaking ‘recruiter’. During the ‘interview’ the employee was tricked into downloading what appeared to be an application form. The application form however turned out to be malware which subsequently infected his work computer.

Luckily the introduced malware was picked up by Redbanc before too much snooping could be done on their network…

3_ Incoming!

Laura was cooking up a storm in her California kitchen, when the loud noise of an emergency broadcast interrupted the bubbling sounds from her simmering chicken broth:

You have three hours to evacuate! North Korea has launched a missile attack on the United States. Move!

Ok, she was probably not making a chicken broth, but you get the idea. Needless to say, panic ensued after the family heard the announcement, thinking it came from their television. It turned out that an attacker managed to hack into their internet connected (IoT) Nest Security Camera and play the fake alert. Luckily, sanity prevailed after an excruciating 30 minutes of trying to figure out which of your favorite cast iron frying pans to take along in the evacuation.

A 20-year-old German man managed to obtain and publish a bunch of personal information of, among others, the Chancellor of Germany, Angela Dorothea Merkel, as well as the German head of state.

If, at this point, you are confused that Merkel is not the German head of state, welcome to the party. Here’s a video of the inauguration of the German President, Frank-Walter Steinmeier: https://www.youtube.com/watch?v=6UsXzwke6OE.

But we digress…

The suspect, who still lives with his parents, claimed to have acted alone when police arrested him earlier this month. The reason for his actions was attributed to anger at “public statements made by politicians, journalists and public figures”. It is unclear how he obtained the leaked information, but it is said to include contact information, credit card details, banking and financial details as well as ID cards and private chats.

2_ Un DoS Tres

(Guy who dossed a Children’s Hospital sentenced)

First things first: If the title of this one made you think of the 1995 Ricky Martin song… here’s the music video for your pleasure: https://www.youtube.com/watch?v=vCEvCXuglqo (and the chap in this story’s name is Martin… Coincidence??)

In 2013, Martin Gottesfeld came to hear about the ‘medical’ child custody case of Justina Pelletier. She was being treated at Boston Children’s Hospital at the time. Taking her fight upon himself, Martin posted a video online claiming to be part of the Anonymous hacking group. He followed this by doxing personal information from people involved in her treatment and then launched a Distributed Denial of Service (DDoS) attack on the Boston Children’s Hospital. The DDoS knocked their internet facing systems offline for two weeks. Fearing arrest by the FBI, Martin and his wife bought a speedboat and fled for Cuba.

Unfortunately for the Gottesfelds, their boat broke down in rough seas and they were forced to send out a distress signal… only to be rescued by a Disney Cruise Liner of all things. In the end, he was arrested and sentenced to 10 years in prison for his efforts.

3_ Collection #1

By this time, you would most probably have heard or read about this one, as it is widely reported on. But, before you start running down corridors screaming ‘the end is nigh!‘, read this first.

This isn’t a new single breach. To quote Troy Hunt, who runs Have I Been Pwnd: The leaked data set is “made up of many different individual data breaches from literally thousands of different sources.”

Brian Krebs also notes that this is old data and offers the following advice relating to the ‘breach’:

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).”